nss_compat allocates buffer space on stack using alloca (and extend_alloca) for initgroup and keeps extending it to fit in larger lines. This breaks for cases where the number of members in a gorup are very large, causing the alloca reference to go beyond thread stack boundary. I have posted a patch on libc-alpha that implements a fallback to malloc/free if the buffer size needed is beyond __libc_alloca_cutoff: http://sourceware.org/ml/libc-alpha/2012-02/msg00503.html How reproducible: Always Steps to Reproduce: 1. In /etc/nsswitch.conf: group: compat group_compat: files 2. Create a large number of users for a single group for i in $(seq 1 70000); do useradd -M -N -s /sbin/nologin -G foo somelongusernameaaaaaaaaaaaa$i echo Created somelongusername$i done 3. Start nscd 4. groups somelongusernameaaaaaaaaaaaa100 Actual results: nscd crashes Expected results: nscd does not crash Additional info: This is also possible with ldap (the original case is with ldap): group: files compat group_compat: ldap
Updated patch here: http://sourceware.org/ml/libc-alpha/2012-02/msg00664.html
I'm reviewing this issue.
Fixed upstream with 984a42374ce2055836f580c2240306171757ea72.
Created attachment 6339 [details] Patch for another unbound allocate in nscd group handling Additional QE testing showed another unbounded alloca in the nscd group handling; specifically the allocation of DATASET within cache_addgr. Using the testing procedures in this BZ nscd would coredump after blowing out the stack. Attached is a follow up-patch we're using to address the additional unbound alloca.
nscd is still segfaulting due to unbound alloca uses using the testing procedures originally reported in this bug.
2012-11-28 Jeff Law <law@redhat.com> [BZ #13761] * nscd/grpcache.c (cache_addgr): Rename alloca_used to dataset_temporary. Track alloca usage into alloca_used. If dataset is large allocate and release it via malloc/free.